Health and life insurance companies have access to a powerful new tool for evaluating whether to cover individual consumers: a health "credit report" drawn from databases containing prescription drug records on more than 200 million Americans.

Collecting and analyzing personal health information in commercial databases is a fledgling industry, but one poised to take off as the nation enters the age of electronic medical records. While lawmakers debate how best to oversee the shift to computerized records, some insurers have already begun testing systems that tap into not only prescription drug information, but also data about patients held by clinical and pathological laboratories.

Traditionally, insurance companies have judged an applicant's risk by gathering medical records from physicians' offices. But the new tools offer the advantage of being "electronic, fast and cheap," said Mark Franzen, managing director of Milliman IntelliScript, which provides consumers' personal drug profiles to insurers.

The trend holds promise for improved health care and cost savings, but privacy and consumer advocates fear it is taking place largely outside the scrutiny of federal health regulators and lawmakers.

Ingenix, a Minnesota-based health information services company that had $1.3 billion in sales last year -- and Wisconsin-based rival Milliman -- say the drug profiles are an accurate, less expensive alternative to seeking physician records, which can take months and hundreds of dollars to obtain. They note that consumers authorize the data release and that the services can save insurance companies millions of dollars and benefit consumers anxious for a decision.

"Some insurers can make a decision in the same day, or right on the spot," Franzen said. "That's the real 'value-add.' "

But the practice also illustrates how electronic data gathered for one purpose can be used and marketed for another -- often without consumers' knowledge, privacy advocates say. And they argue that although consumers sign consent forms, they effectively have to authorize the data release if they want insurance.

"As health care moves into the digital age, there are more and more companies holding vast amounts of patients' health information," said Joy Pritts, research professor at Georgetown University's Health Policy Institute. "Most people don't even know these organizations exist. Unfortunately the federal health privacy rule does not cover many of them. . . . The lack of transparency with how all of this works is disturbing."

Ingenix and Milliman create the profiles by plumbing rich databases of prescription drug histories kept by pharmacy benefit managers (PBMs), which help insurers process drug claims. Ingenix, for instance, has servers in the PBM data centers, updating the drug files as frequently as once a day, said John Stenson, senior vice president of consulting for Ingenix, which is a division of UnitedHealth Group. The corporation also owns UnitedHealthcare, the nation's second-largest insurer.

When an insurer makes an online query about an applicant, Ingenix or Milliman's servers scour the data and within minutes or less return reports to a central server at the company. The server aggregates the information going back as far as five years, including the drugs and dosages prescribed, dates filled and refilled, the therapeutic class and the name and address of the prescribing doctor.

Then comes the analysis.

Ingenix's MedPoint tool provides insurers a "pharmacy risk score," or a number that represents an "expected risk" for a group of people, such as 30- to 35-year-old women who have taken prescription drugs, Stenson said. Higher scores imply higher medical costs.

Milliman's IntelliScript codes drugs red, yellow or green, according to the insurer's instructions, with red signaling the greatest risk, Franzen said. Red codes could include the so-called AIDS cocktail drugs and cancer medications, he said.

The companies receive data only on individuals who are in clients in PBMs' databases, generally excluding, say, people who pay for drugs in cash. The profiles cost insurers about $15 a search. IntelliScript gets about 1 million queries from insurers a year, largely individual health insurers.

The system can save money for insurers, said Richard Dick, an entrepreneur who built the database system that Ingenix acquired in 2002.

For instance, if MedPoint produces a report that an individual has been on the highest dose of the cholesterol-reducing drug Zocor for 18 monts, the insurer "would be able to know that you have a very high, near-intractable cholesterol problem," Dick said, and could avoid a costly blood test.

From a business standpoint, it makes no sense for an insurer to sell a plan with a $200 monthly premium if the company knows that the consumer is taking medications that cost $400 every six months, industry experts said. That is why having access to an "objective" source of third-party information is valuable, said Tia Goss Sawhney, a Chicago area health insurance actuary who has used both companies' tools. "Though most people tell the truth most of the time, there are people out there who don't, who leave out something that's incredibly relevant, who may even be able to defraud a company," she said. "That's important because ultimately the people who tell the truth have to pay for those who don't."

Franzen, whose firm expects revenue of $575 million this year, said his clients tell him that about 10 percent of applicants do not disclose pertinent medical conditions in their applications that are later revealed by prescription drug history.

Some health experts worry that insurance companies can make faulty assumptions by looking at prescription drug records, because many drugs have multiple uses. "I had a patient on Amitriptyline for migraines and they were denied life insurance because it's also an antidepressant," said physician Kate Atkinson of Amherst, Mass. "I had to explain it wasn't being used for depression." Another patient was on Prozac -- not for depression, but for menopausal hot flashes. "I wrote an appeal letter, and they still wouldn't give it to her," Atkinson said.

Services such as MedPoint are just "one of many tools" underwriters use to make coverage decisions, said Tyler Mason, a spokesman for UnitedHealthcare, which uses MedPoint. A high-risk score on a profile will often lead to requests for more information from the applicant, he said.

Ingenix and Milliman officials stress that they provide data only with the patient's consent, as required by the Health Insurance Portability and Accountability Act (HIPAA), a 1996 law that governs personal health records information. But HIPAA does not give the Department of Health and Human Services the ability to directly investigate or hold accountable entities, such as pharmacy benefit managers or companies such as Ingenix and Milliman, who are not covered by HIPAA.

A health privacy proposal pending in Congress would expand federal officials' ability to regulate such "downstream" organizations, audit their activities and impose civil fines. The bill also includes a prohibition on the sale of electronic medical records.

Tim Sparapani, senior legislative counsel at the American Civil Liberties Union, said that the products that Ingenix and Milliman are marketing represent the "commodification" of electronic medical records by third parties. "We've got to stop these practices before the marketplace is fully developed and patients lose all control over their medical information," he said.

The field is growing rapidly. Realtime Solutions Group, a company in Woodridge, Ill., is testing whether lab data can be aggregated with prescription and other data for underwriting purposes. The firm is working with two major commercial labs and three large insurers, using thousands of real applicants. Initial results are promising enough that the company plans to proceed to the data-analysis stage, company co-founder Tedd Determan said.

"A lot of insurance companies are starting to use this type of data," said Determan, who co-founded IntelRx, a company that mined prescription databases and was sold to Milliman in 2005. "They said, 'All right. Prescription data is working, let's go and look at other types of data, too.' It's because of the success of one, that we're going after others."

In February, the Federal Trade Commission issued an order saying that MedPoint and IntelliScript are consumer reports under the Fair Credit Reporting Act, so the companies must notify insurers that consumers denied insurance on the basis of these reports have the right to request a copy of the report and that errors be corrected. The FTC's order followed a settlement of allegations that the companies violated the credit-reporting law by failing to provide such notice to insurers.

Bob Gellman, an independent privacy consultant in Washington, said the FTC's decision not to fine the companies sends "the message that it is okay to ignore the law." That, he said, "is absolutely outrageous."

As more health records become electronic, he said, more parties will compete to sell more comprehensive patient data to insurers, driving down data prices. "It will all likely be lawful," Gellman said, "but consumers will likely continue to have no real meaningful choices if they want insurance."

Dick, who conceived the idea of linking the pharmacy databases for underwriting purposes a decade ago, said the pharmacy benefit managers understood the system's privacy implications. He said their attitude seemed one of, " 'Ooh, this is a 60 Minutes' story in the making.' Generally, they wanted to make it a super-secret database, restricted to underwriting."

But now, he said, "there's a huge case for it being opened up for all legitimate access," whether for a patient in an emergency room or for federal government purposes. The key, he said, is full transparency.

He said he has created a privacy tool that requires users to consent before specific data, such as prescription histories, can be released. To work, he said, the tool must be independent of all who hold the data.